Protocol agent field details

• Checked — Enables incoming CIS connection handling.
• Unchecked — Disables incoming CIS connection handling.

• Checked — Rematches the encapsulated payload inside the tunneling packet until the maximum rematch count defined in the engine properties is reached.
• Unchecked — Does not rematch encapsulated payload.

• Checked — Allows tunneling over IPv4.
• Unchecked — Stops connections that are tunneled over IPv4.

• Checked — Allows tunneling over IPv6.
• Unchecked — Stops connections that are tunneled over IPv6.

• Checked — Rematches the encapsulated payload inside the tunneling packet until the maximum rematch count defined in the engine properties is reached.
• Unchecked — Does not rematch encapsulated payload.

• Checked — Terminates traffic that is not using the DNS protocol.
• Unchecked — Allows traffic to pass even if the traffic is not DNS-related.

• Checked — Terminates traffic that is not using the DNS protocol.
• Unchecked — Allows traffic to pass even if the traffic is not DNS-related.

• Checked — Terminates DNS zone transfer messages.
• Unchecked — Allows DNS zone transfer messages to pass.

• Checked — Modifies DNS replies for Google search engines to enforce Google's SafeSearch feature.
• Unchecked — Does not modify DNS replies.

• Checked — Modifies DNS replies for Bing search engines to enforce Bing’s SafeSearch feature.
• Unchecked — Does not modify DNS replies.

• Checked — Modifies DNS replies for DuckDuckGo search engines to enforce DuckDuckGo’s SafeSearch feature.
• Unchecked — Does not modify DNS replies.

Select the safesearch mode from the drop-down list:

• Strict: Filter out inappropriate videos from your search results.
• Moderate: This setting is similar to Strict Mode but makes a much larger collection of videos available.
• Off: Use this setting to turn off both Modes (Strict and Moderate). Only apply this setting if you want to let users in your organization to have unrestricted YouTube access.

• Checked — Allows data connections to be opened with the control connection.
• Unchecked — Disables the Protocol Agent.

Checked — Server is allowed to open data connections to the client (according to information exchanged in the control connection).

• Checked — Client is allowed to open data connections to the server (according to information exchanged in the control connection).
• Unchecked — Client-initiated data connections are forbidden.

• Strict — If commands that do not comply with the RFC 959 FTP standard are used, the connection is dropped.
• Loose — The Protocol Agent tries to identify information for opening the data connection even if the communications do not strictly follow the FTP standards. Sometimes needed with non-standard FTP configurations.

Enter a port value to limit the range of allowed source ports for active data connections on the server.

Value 0 for the lowest port means that the server always uses the port number immediately preceding the destination port. If the server uses a standard port, both the lowest and highest port number must be 0.

(Optional) Specify the IP Address Translation Range (IPv4 only) and the Port Translation Range for the redirection. To specify a single IP address, enter the same IP address in both fields.

• Forbidden — Traffic is never decrypted.
• Yes — Enables HTTPS decryption and inspection.
• No — HTTPS traffic is not decrypted for inspection.

• Checked — The URLs of sites that users access are included in generated log entries.
  Note: With HTTPS traffic, it is required that the traffic is decrypted.
• No — URLs are not included in generated log entries.

• Checked — When matching connections to the Inspection rules, the server stream matching is done only for patterns that are valid for the client’s browser type and version.
• Unchecked — All server stream patterns are matched.

• Checked — The engine modifies DNS replies for search engines to enforce SafeSearch feature.
• Unchecked — The engine does not modify DNS replies.

Specify the IP Address Translation Range (IPv4 only) and the Port Translation Range for the redirection.

• Checked — HTTP header that indicates the server support for HTTP3/QUIC is stripped away.
• Unchecked — HTTP header that indicates the server support for HTTP3/QUIC is not stripped away.

• Checked — The URLs of sites that users access are included in generated log entries.
  Note: With HTTPS traffic, it is required that the traffic is decrypted.
• Unchecked — URLs are not included in generated log entries.

• Checked — When matching connections to the Inspection rules, the server stream matching is done only for patterns that are valid for the client’s browser type and version.
• Unchecked — All server stream patterns are matched.

• On — The engine modifies DNS replies for search engines to enforce SafeSearch feature.
• Off — The engine does not modify DNS replies.

When selected, the proxy validates HTTP requests.

Specifies how URL normalization is applied to HTTP requests:

• Allow — Allows the request.
• Allow and Log — Allows the request and creates a log entry.
• Block and Log — Blocks the request and creates a log entry.
• Off — URL normalization is not enabled.

When selected, the proxy requires the HTTP request to include an HTTP version string.

Specifies whether matching URLs are allowed or denied:

• Allow — Matching URLs are allowed.
• Deny — Matching URLs are denied.

• Any — The proxy allows any commands in HTTP requests.
• List — The proxy allows only the selected commands in HTTP requests.

• Forbidden — Traffic is never decrypted.
• Yes — Enables HTTPS decryption and inspection.
• No — HTTPS traffic is not decrypted for inspection.

Specifies the HTTPS Inspection Exceptions according to which traffic is decrypted and inspected or allowed to pass without decryption.

Click in the text field to select an HTTPS Inspection Exceptions element.

• Checked — The URLs of sites that users access are included in generated log entries.
  Note: With HTTPS traffic, requires that the traffic is decrypted.
• Unchecked — URLs are not included in generated log entries.

• Checked — When matching connections to the Inspection rules, the server stream matching is done only for patterns that are valid for the client’s browser type and version.
• Unchecked — All server stream patterns are matched.

• Checked — The engine modifies DNS replies for search engines to enforce SafeSearch feature.
• Unchecked — The engine does not modify DNS replies.

• Checked — The Protocol Agent monitors the H.323 connection and allows the related connections in Access and NAT rules.
• Unchecked — Disables the Protocol Agent.

• Checked — Allows H.323 clients to open a special logical channel for audio and video without NAT.
• Unchecked — Special logical channels are not allowed.

• Forbidden — Traffic is never decrypted.
• Yes — Enables HTTPS decryption and inspection.
• No — HTTPS traffic is not decrypted for inspection.

Specifies the IMAPS Inspection Exceptions according to which traffic is decrypted and inspected or allowed to pass without decryption.

Click in the text field to select an IMAPS Inspection Exceptions element.

• Checked — Allows responses sent by the endpoint mapper (EPM) service.
• Unchecked — Disables the Protocol Agent.

• Checked — Allows remote administration of the Microsoft Exchange server through the Exchange System Attendant service.
• Unchecked — Prevents remote administration.

• Checked — Allows the normal use of the Microsoft Outlook client; the Protocol Agent allows the use of Exchange Database service, Directory service, Information Store service, MTA service, and Store service.
• Unchecked — Prevents end-user services.

• Checked — Allows other MSRPC requests in addition to Outlook/Exchange.
• Unchecked — The Service allows only Outlook/Exchange traffic.

• Checked — Allows message types that are not supported by the Protocol Agent to bypass the control connection.
• Unchecked — Allows only supported message types (bind, bind ack, request, and response).

• Checked — Allows database connection based on information in the listener connection.
• Unchecked — Disables the Protocol Agent.

• Checked — Resets the header and packet checksums to zero when the Protocol Agent modifies the packet payload data.
• Unchecked — Checksums remain even when the packet is changed.

• Forbidden — Traffic is never decrypted.
• Yes — Enables HTTPS decryption and inspection.
• No — HTTPS traffic is not decrypted for inspection.

• Forbidden — Traffic is never decrypted.
• Yes — Enables HTTPS decryption and inspection.
• No — HTTPS traffic is not decrypted for inspection.

• Checked — Related RTP and RTCP connections initiated with RTSP are allowed through the engine.
• Unchecked — Disables the Protocol Agent.

• Checked — Standard error (stderr) stream is allowed through the engine as a response to an RSH command.
• Unchecked — Disables the Protocol Agent.

• Checked — Allows SIP media connections based on the signaling connection.
• Unchecked — Disables the Protocol Agent.

• Checked — Requires that the media stream uses the same client-side address as the transport layer.
• Unchecked — Media stream can use any address.

• Checked — Requires that the media stream uses the same server-side address as the transport layer.
• Unchecked — Media stream can use any address.

• Forbidden — Traffic is never decrypted.
• Yes — Enables HTTPS decryption and inspection.
• No — HTTPS traffic is not decrypted for inspection.

• Checked — Validates the SSH transfers according to the parameters defined in this dialog.
• Unchecked — Disables the Protocol Agent.

• Checked — Enables the Protocol Agent.
• Unchecked — Disables the Protocol Agent.

• Checked — If inserted in a NAT rule, the addresses relayed in the NetBIOS communications are translated according to the NAT rule.
• Unchecked — Only the IP addresses in packet headers are translated if inserted in a NAT rule.

• Checked — Allows data connections to be opened with the control connection.
• Unchecked — Protocol Agent is disabled.

• Checked — Allows file transfer from server to client (downloads).
• Unchecked — Downloads are not allowed.

• Checked — Allows file transfer from client to server (uploads).
• Unchecked — Uploads are not allowed.

• Checked — Names of transferred files and their paths are included in generated log entries.
• Unchecked — File and path information is not available in logs.

• No — QUIC traffic is allowed and enables QUIC inspection.
• Yes — QUIC traffic is discarded and web browsers uses TLS for traffic inspection if QUIC is not permitted.
• Default — QUIC traffic is allowed and QUIC inspection is enabled.

• Checked — Allows tunneling over IPv6.
• Unchecked — Stops connections that are tunneled over IPv6.

Specifies how URL normalization is applied to HTTP requests.

• Allow — Allows the request.
• Allow and Log — Allows the request and creates a log entry.
• Block and Log — Blocks the request and creates a log entry.

Specifies whether matching URLs are allowed or denied.

• Allow — Matching URLs are allowed.
• Deny — Matching URLs are denied.

• Any — The proxy allows any commands in HTTP requests.
• List — The proxy allows only the selected commands in HTTP requests.

• Checked — Terminates traffic that is not using the DNS protocol.
• Unchecked — Allows traffic to pass even if the traffic is not DNS-related.

• Checked — Terminates DNS zone transfer messages.
• Unchecked — Allows DNS zone transfer messages to pass.